PF and tcpdump Label Patch

Wed Jun 21 13:39:26 UTC 2006

Hello,

I wrote a patch for PF to log "label" names like IPF's log-tag option.
PF already has a label option to mark rules in `pfctl -sr `, but it
does not write labels to log file, which is very usefull to match log
entries to rules/or group of rules created by lists
( pass from any to any port {10,20,30,40} label "passing_ports" etc...)

For example;

pass in log quick all keep state label MAIN_RULE

So log line like this

2006-06-21 18:26:06.969874 rule 67/0(match): pass in on bge0: label
MAIN_RULE: 192.168.9.99.53568 > 66.249.85.99.80: S ...

To properly use tcpdump to display logs entries from pflog0 interface,
tcpdump has to be patched also. Since the above patch changes a struct in
pflog, without patching tcpdump log packets appear truncated.

I tested both of patches in FreeBSD 5.4 and FreeBSD 6.0.

I attached the both of patches.


Sincerly,

N. Ersen SISECI
http://www.enderunix.org


-------------- next part --------------

--- if_pflog.h.org	Wed Apr  5 10:10:56 2006
+++ if_pflog.h	Wed Apr  5 09:26:31 2006
@@ -40,6 +40,12 @@
 #define PF_RULESET_NAME_SIZE	 16
 #endif
 
+#ifndef  PF_RULE_LABEL_SIZE
+#define PF_RULE_LABEL_SIZE       64
+#endif
+
+#define PF_LOG_LABEL
+
 struct pfloghdr {
 	u_int8_t	length;
 	sa_family_t	af;
@@ -50,6 +56,9 @@
 	u_int32_t	rulenr;
 	u_int32_t	subrulenr;
 	u_int8_t	dir;
+#ifdef PF_LOG_LABEL
+	char		label[PF_RULE_LABEL_SIZE];
+#endif
 	u_int8_t	pad[3];
 };
 
--- if_pflog.c.org	Wed Apr  5 10:10:52 2006
+++ if_pflog.c	Wed Apr  5 10:47:01 2006
@@ -296,6 +296,7 @@
 	hdr.action = rm->action;
 	hdr.reason = reason;
 	memcpy(hdr.ifname, kif->pfik_name, sizeof(hdr.ifname));
+	memcpy(hdr.label, rm->label, sizeof(rm->label));
 
 	if (am == NULL) {
 		hdr.rulenr = htonl(rm->nr);
-------------- next part --------------
--- pf.h.org	Wed Apr  5 10:15:22 2006
+++ pf.h	Wed Apr  5 10:18:15 2006
@@ -55,6 +55,8 @@
 }
 
 #define PF_RULESET_NAME_SIZE	16
+#define PF_RULE_LABEL_SIZE	64
+
 
 /*	from $OpenBSD: if_pflog.h,v 1.9 2003/07/15 20:27:27 dhartmei Exp $ */
 
@@ -62,6 +64,8 @@
 #define	IFNAMSIZ	16
 #endif
 
+#define PF_LOG_LABEL
+
 struct pfloghdr {
 	u_int8_t	length;
 	sa_family_t	af;
@@ -72,6 +76,9 @@
 	u_int32_t	rulenr;
 	u_int32_t	subrulenr;
 	u_int8_t	dir;
+#ifdef PF_LOG_LABEL
+	char		label[PF_RULE_LABEL_SIZE];
+#endif
 	u_int8_t	pad[3];
 };
 #define PFLOG_HDRLEN		sizeof(struct pfloghdr)
--- print-pflog.c.org	Wed Apr  5 10:15:31 2006
+++ print-pflog.c	Wed Apr  5 10:17:44 2006
@@ -81,11 +81,20 @@
 		printf("rule %u.%s.%u/", ntohl(hdr->rulenr), hdr->ruleset,
 		    ntohl(hdr->subrulenr));
 
-	printf("%s: %s %s on %s: ",
+#ifndef PF_LOG_LABEL
+	printf("%s: %s %s on %s:",
 	    tok2str(pf_reasons, "unkn(%u)", hdr->reason),
 	    tok2str(pf_actions, "unkn(%u)", hdr->action),
 	    tok2str(pf_directions, "unkn(%u)", hdr->dir),
 	    hdr->ifname);
+#else
+	printf("%s: %s %s on %s: label %s: ",
+	    tok2str(pf_reasons, "unkn(%u)", hdr->reason),
+	    tok2str(pf_actions, "unkn(%u)", hdr->action),
+	    tok2str(pf_directions, "unkn(%u)", hdr->dir),
+	    hdr->ifname,
+	    hdr->label);
+#endif
 }
 
 u_int
